Defender, Prevent information Disclosure .htaccess not working

I have clicked so many times, but still red.
Also i tried giving permission to .htaccess but it does not solved the problem.

  • Predrag Dubajic

    Hey club mega,

    Hope you're doing well today :slight_smile:

    Can you check your main .htaccess file (the one in root WP folder) and see if these Defender rules are added there:

    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    It it's not try adding them yourself at the end of file and see if hardening rule status changes.

    If they are already there it's possible that you have some agressive caching that prevent defender from updating status of this rule in real time.

    Let us know how it goes.

    Best regards.
    Predrag

  • club mega
    # BEGIN WP Rocket v2.9.9
    # Use UTF-8 encoding for anything served text/plain or text/html
    AddDefaultCharset UTF-8
    # Force UTF-8 for a number of file formats
    <IfModule mod_mime.c>
    AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
    </IfModule>
    
    # FileETag None is not enough for every server.
    <IfModule mod_headers.c>
    Header unset ETag
    </IfModule>
    
    # Since we’re sending far-future expires, we don’t need ETags for static content.
    # developer.yahoo.com/performance/rules.html#etags
    FileETag None
    
    <IfModule mod_alias.c>
    <FilesMatch "\.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$">
    <IfModule mod_headers.c>
    Header set X-Powered-By "WP Rocket/2.9.9"
    Header unset Pragma
    Header append Cache-Control "public"
    Header unset Last-Modified
    </IfModule>
    </FilesMatch>
    
    <FilesMatch "\.(css|htc|js|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$">
    <IfModule mod_headers.c>
    Header unset Pragma
    Header append Cache-Control "public"
    </IfModule>
    </FilesMatch>
    </IfModule>
    
    # Expires headers (for better cache control)
    <IfModule mod_expires.c>
    ExpiresActive on
    
    # Perhaps better to whitelist expires rules? Perhaps.
    ExpiresDefault                          "access plus 1 month"
    
    # cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
    ExpiresByType text/cache-manifest       "access plus 0 seconds"
    
    # Your document html
    ExpiresByType text/html                 "access plus 0 seconds"
    
    # Data
    ExpiresByType text/xml                  "access plus 0 seconds"
    ExpiresByType application/xml           "access plus 0 seconds"
    ExpiresByType application/json          "access plus 0 seconds"
    
    # Feed
    ExpiresByType application/rss+xml       "access plus 1 hour"
    ExpiresByType application/atom+xml      "access plus 1 hour"
    
    # Favicon (cannot be renamed)
    ExpiresByType image/x-icon              "access plus 1 week"
    
    # Media: images, video, audio
    ExpiresByType image/gif                 "access plus 1 month"
    ExpiresByType image/png                 "access plus 1 month"
    ExpiresByType image/jpeg                "access plus 1 month"
    ExpiresByType video/ogg                 "access plus 1 month"
    ExpiresByType audio/ogg                 "access plus 1 month"
    ExpiresByType video/mp4                 "access plus 1 month"
    ExpiresByType video/webm                "access plus 1 month"
    
    # HTC files  (css3pie)
    ExpiresByType text/x-component          "access plus 1 month"
    
    # Webfonts
    ExpiresByType application/x-font-ttf    "access plus 1 month"
    ExpiresByType font/opentype             "access plus 1 month"
    ExpiresByType application/x-font-woff   "access plus 1 month"
    ExpiresByType application/x-font-woff2  "access plus 1 month"
    ExpiresByType image/svg+xml             "access plus 1 month"
    ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
    
    # CSS and JavaScript
    ExpiresByType text/css                  "access plus 1 year"
    ExpiresByType application/javascript    "access plus 1 year"
    
    </IfModule>
    
    # Gzip compression
    <IfModule mod_deflate.c>
    # Active compression
    SetOutputFilter DEFLATE
    # Force deflate for mangled headers
    <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
    SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
    RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    # Don’t compress images and other uncompressible content
    SetEnvIfNoCase Request_URI \
    \.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp)$ no-gzip dont-vary
    </IfModule>
    </IfModule>
    
    # Compress all output labeled with one of the following MIME-types
    <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE application/atom+xml \
    		                          application/javascript \
    		                          application/json \
    		                          application/rss+xml \
    		                          application/vnd.ms-fontobject \
    		                          application/x-font-ttf \
    		                          application/xhtml+xml \
    		                          application/xml \
    		                          font/opentype \
    		                          image/svg+xml \
    		                          image/x-icon \
    		                          text/css \
    		                          text/html \
    		                          text/plain \
    		                          text/x-component \
    		                          text/xml
    </IfModule>
    <IfModule mod_headers.c>
    Header append Vary: Accept-Encoding
    </IfModule>
    </IfModule>
    
    # END WP Rocket
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    # BEGIN WP-HUMMINGBIRD-CACHING
    # END WP-HUMMINGBIRD-CACHING
    # BEGIN WP-HUMMINGBIRD-GZIP
    # END WP-HUMMINGBIRD-GZIP
    <ifModule mod_deflate.c>
    <FilesMatch "\.(css|js|x?html?|php)$">
    SetOutputFilter DEFLATE
    </FilesMatch>
    </ifModule>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://club-mega.com/.*$      [NC]
    RewriteCond %{HTTP_REFERER} !^http://club-mega.com$      [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.club-mega.com/.*$      [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.club-mega.com$      [NC]
    RewriteCond %{HTTP_REFERER} !^https://club-mega.com/.*$      [NC]
    RewriteCond %{HTTP_REFERER} !^https://club-mega.com$      [NC]
    RewriteCond %{HTTP_REFERER} !^https://www.club-mega.com/.*$      [NC]
    RewriteCond %{HTTP_REFERER} !^https://www.club-mega.com$      [NC]
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]
    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>
    # php -- BEGIN cPanel-generated handler, do not edit
    # Set the “ea-php56” package as the default “PHP” programming language.
    <IfModule mime_module>
      AddType application/x-httpd-ea-php56 .php .php5 .phtml
    </IfModule>
    # php -- END cPanel-generated handler, do not edit
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
  • Dimitris

    Hey there club mega,

    hope you're doing good and don't mind chiming in here! :slight_smile:

    It seems that there are multiple instances of Defender's Prevent Information Disclosure.

    Could you please remove the following snippets:

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##
    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    ## WP Defender - End ##

    and insert the one that my colleague Predrag mentioned in his previous reply, right on the very bottom of .htaccess file:

    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    Let us know how that goes!
    Warm regards,
    Dimitris

  • Dimitris

    Hey there club mega,

    hope you're doing good today! :slight_smile:

    Could you please grant us with temporary support access to your website so we could further inspect this?
    You can do so via WPMUDEV Dashboard plugin as described in next link (no need to share credentials): https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-4

    Let us know here in your next reply that access has been granted as we don't get any notifications about it, meanwhile I'll ping Defender's lead dev on this to provide some insights.

    Warm regards,
    Dimitris

  • Dimitris

    Hey there club mega,

    I inspected your website but I couldn't locate anything that could lead to this.
    Could you please try to deactivate all other plugins apart from Defender, activate a default theme like TwentySeventeen, clear/purge all caches from plugins and any server side mechanisms, and give that another try?

    If this gets resolved, activate them back one-by-one, checking each time until you get conflicted combination.
    https://premium.wpmudev.org/wp-content/uploads/2015/09/Support-Process-Support-Process.gif

    If this isn't possible as this is a live website, you should consider creating a staging environment, meaning an exact copy of this WP installation in another location/folder in the same server, that could be used for testing and development.

    Looking forward for your feedback!
    Warm regards,
    Dimitris

  • Dimitris

    Hey there club mega,

    hope you're doing good today! :slight_smile:

    I had some feedback from plugin's lead dev and he suspects that there's some server setup that can't be overridden by .htaccess rules that's why the get bypassed.

    Could you please check with your hosting provider if and how these rules in .htaccess can be applied?

    Please let us know here about any development, or in case there was a conflict with other plugin(s).

    Warm regards,
    Dimitris

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.